Abstracts of Magazine FUJITSU 2004-1 (VOL.55, NO.1)

Special Issue : Security

• Fujitsu's Approach to Information System Security

IT (Information Technology) is now a fundamental part of the social infrastructure, and the demands for information security have consequently expanded and diversified. In early 2000, there were various illegal accesses to Web servers, and those incidents forced companies to strengthen their firewalls and other Internet security devices. In addition, because of the recent spread of computer worms, most companies have found it necessary to ensure not only Internet security but also intranet security. On the other hand, information security has helped to increase the efficiency of business processes and reduce the complexity of business procedures by expanding the deployment of Electronic Application Services through the use of new technologies such as PKI and Electronic Signatures. Recently, interest in preventing information leakage has been increasing, because companies have become more acutely aware of their responsibility to protect personal information and their trade secrets. This paper explains how Fujitsu is meeting the needs for information security in the ubiquitous communications era.

• Fujitsu Security Solution Framework

A diverse range of technologies, for example, the Internet, wireless LANs, and mobile terminals, are now used to build information system infrastructures. E-commerce and e-Government systems are making progress toward new social infrastructures. These trends require new technical and operational IT security measures with clear guidelines for application. Fujitsu is promoting an integrated and systematized security solution framework that consists of 11 security solutions, including countermeasures against unauthorized access and information leakage. Each solution is a set of products and services designed in accordance with a set of basic policies referred to as Reference Security Policies. This paper describes the overall concept of the Fujitsu security solution framework and the goals and positioning of each component solution.

• Security Measures Provided by TRIOLE

In response to the dramatic changes that have occurred in the business environment, IT systems are being asked to play a key role in the quick development of applications to operate reliably and stably at reduced costs. Fujitsu has released "TRIOLE", which is an IT infrastructure that meets these needs. Because the Internet is used extensively in mission-critical and social infrastructure systems, particular emphasis must be placed on IT security measures. The TRIOLE component products support security functions such as countermeasures against unauthorized access, viruses, and information leakage. TRIOLE offers advanced security measures through a platform integration service that verifies the security at each stage of system construction and a security operation service. This paper gives an overview of TRIOLE. It also describes the application of TRIOLE core technologies to products and TRIOLE security measures focusing on platform integration.

• Security at Fujitsu's System Center

During a low-growth period such as the one we are currently experiencing, companies must reduce their costs, concentrate on their main business, and reform their operating procedures. Moreover, the need to utilize information systems through outsourcing has been increasing. Fujitsu provides outsourcing services at three main system centers, located at Tatebayashi, Akashi, and Tokyo. These services maintain and process customers' data, so it is important they maintain strong information security so that customers' operations run smoothly and efficiently. This paper outlines the services of the Fujitsu system center and the center's information security policy.

• Security at FUJITSU SOLUTION SQUARE

Information security in companies has been growing in importance as Internet penetration continues to increase. To protect their information against outside attacks, companies must build a strong security foundation. Security is also a key theme at Fujitsu, and it has led us to various business opportunities over the years. We have gained customer confidence in our security business by building our own security foundation, maintaining the security of our information, and providing our customers with the results they require. We have established "FUJITSU SOLUTION SQUARE," which is a new environment in which the most up-to-date security technology and various security approaches are practiced. This paper introduces the practical approaches we take at FUJITSU SOLUTION SQUARE. First, we describe the implementation of our Security Policy and digital-watermarking technology. Then, we present one of our customer's observations about using our security services. Lastly, we describe the collection of an operation log and then conclude the paper.

• Training for Information Security

In view of recent security-related incidents and the present situation regarding information security promotion in enterprises, the information security personnel of enterprises need a wider range of skills and knowledge than experts in other fields. This paper describes the skills and knowledge required of personnel who use and operate information security systems and promote, plan, design, and suggest information security measures. This paper also describes the training courses Fujitsu Learning Media provides for learning about information security solutions. These training courses include practical trial-and-error courses; inexpensive simulator courses that give students an equivalent learning experience as courses using real systems; ISMS examiner courses focused on practical exercises, including role-playing exercises; practical courses for ISMS construction; legal courses focused on the protection of private information; and end-user courses customized to the needs of individual customers.

• Fujitsu's New Carrier Framework

As has been consistently pointed out in various research, the shortage of IT security engineers has become a serious problem. To promote the training of IT security engineers, the Ministry of Economy, Trade, and Industry has established the Information Systems Security Administrator Examination as an examination of the Japan Information-Technology Engineers. As well as providing high-quality services to users, Fujitsu is also creating a new carrier framework system to train and motivate IT security engineers. This paper describes the concept of the Fujitsu carrier framework. It also gives an overview of the professional position called the Fujitsu Certified Professional (FCP), which is the position at the top of the framework, and a category of FCPs called the IT Architect (Security).

• Cryptographic Technology

Cryptography is a fundamentally important technology for information security. This paper introduces the latest research Fujitsu Laboratories is carrying out in the area of cryptographic technology. It is important to theoretically prove that a cryptosystem cannot easily be broken, and a methodology called "provable security" has recently been used to do this. However, this methodology is not always adequate. In this paper, we present a summary of provable security. Then, we describe two new types of attacks that are outside its scope of assurance and countermeasures we have developed for these attacks. The first type of attack attacks a weak point of the random number generator used to generate keys in cryptosystems; and the countermeasure we developed for this type is a new pseudorandom number generator algorithm called the SR2002, which is secure and fast. The second type is a side-channel attack that analyzes the electric power consumption of smart cards; and our countermeasure for this type is a method of randomizing register addresses.

• Client Security Technologies

People can now enjoy various services any time, anywhere by connecting user terminals (client equipment) such as personal computers, personal digital assistants (PDAs), and cellular phones to the Internet. However, this situation increases the need to enhance not only the security of severs and networks but also the authentication and security of user terminals. Specific points under discussion are the security of client terminals and the authentication of terminal users. For client terminal security, the Trusted Computing Group (TCG) is defining a set of standard specifications. A TCG-compliant personal computer will use a hardware chip that securely protects encryption keys based on the public key infrastructure (PKI) and cryptographic processing. For terminal user authentication, IC cards and biometric authentication technology are being applied. This paper describes Fujitsu's approaches to the development and future prospects of TCG-compliant personal computers, IC cards, biometric authentication technology, and content protection technology. This paper also looks at how these technologies are expanding into networked home appliances.

• E-Text Guarantee Solution for Integrity and Long-Term Storage of Electronic Documents

Replacing paper document storage with electronic information storage can reduce storage space and costs and also facilitate centralized management and secondary use of documents. However, to promote electronic information storage, there is an urgent need for an e-text storage solution that guarantees the integrity and long-term storage of electronic documents. Fujitsu has studied this problem and, as a result, developed a guarantee system that incorporates a function for authentication by a trusted third party (TTP). This is a total system, for example, it ensures that scanning operations are performed correctly, certifies compliance with regulations, creates digital signatures and time stamps with TTP authentication, and has a reliable "electronic safe." Fujitsu is preparing to offer this total system as an e-text guarantee solution. This paper describes the legal systems and technological trends related to this solution, the unique Fujitsu technologies that it is based on, and the current status of its development.